12-26-2006 09:51 AM - edited 03-11-2019 02:12 AM
Hi,
First off this is my first Site 2 site I have setup from start to finish. I want to setup tunnel with a client to access there mainframe. My inside addresses allowed thur will be 192.168.x.x/29, and access 2 IP on the clients side. In PDM I created 2 object groups called Baptistinside (192.168.x.x/29) and Baptist outside (mainframe and intranet side). We agreed on the follow policy:
IKE
3DES
Pre-shared keys
SHA/HMAC-128
DH-Group Group2
Lifetime 86400
IPSec
ESP/SHA/HMAC-128
3DES
lifetime 28800
I had a IKE policy the met the requirement. I created a new transform set in PDM called baptist (command preview)
'crypto ipsec transform-set Baptist esp-3des esp-sha-hmac'
Then I created a IPSec rule (in PDM) using the object groups I created.
access-list nonat line 12 permit ip object-group Baptistinside object-group Baptist_outside
nat (inside) 0 access-list nonat
access-list outside_cryptomap_22 remark Rule to access Batist Health System Imageing 10.10.x.x and mainframe 10.10.x.x
access-list outside_cryptomap_22 permit ip object-group Baptistinside object-group Baptist_outside
crypto map P2PVPNS 22 set peer 70.158.x.x
crypto map P2PVPNS 22 match address outside_cryptomap_22
crypto map P2PVPNS 22 set transform-set Baptist
crypto map P2PVPNS 22 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map P2PVPNS interface outside
but it returns this:
[OK] access-list nonat line 12 permit ip object-group Baptistinside object-group Baptist_outside
[OK] nat (inside) 0 access-list nonat
[OK] access-list outside_cryptomap_22 remark Rule to access Batist Health System Imageing 10.10.x.x and mainframe 10.10.x.x
[OK] access-list outside_cryptomap_22 permit ip object-group Baptistinside object-group Baptist_outside
[ERR]crypto map P2PVPNS 22 set peer 70.158.x.x
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
[OK] crypto map P2PVPNS 22 match address outside_cryptomap_22
[OK] crypto map P2PVPNS 22 set transform-set Baptist
[OK] crypto map P2PVPNS 22 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] crypto map P2PVPNS interface outside
Not sure what I'm doing wrong?
12-26-2006 11:13 AM
hi
can you post of what the object-group Baptistinside and the object-group Baptist_outside are made ??
thanx
12-26-2006 01:23 PM
Here are the commands I used to create the object groups:
pdm group Baptist_outside outside
object-group network Baptist_outside
description IP address for Baptist Health system Web and mainfrain
network-object 10.x.x.x 255.255.255.255
network-object 10.x.x.x 255.255.255.255
pdm group Baptistinside inside
object-group network Baptistinside
description IP addresses allow to site 2 site VPN
network-object 192.x.x.x 255.255.255.248
01-03-2007 04:17 PM
Can you post the complete config. As for the post config you miss these parts
tunnel-group 70.158.x.x type ipsec-l2l
tunnel-group 70.158.x.x ipsec-attributes
pre-shared-key "youpresharedkey"
Another thing to try is not to use object-groups in your ACL. Try to create an ACL with two lines for both the NONAT ACL and the SA ACL.
Let me know how it goes,
Regards,
01-04-2007 12:02 AM
Is it the error line about an incomplete crypto map that is concerning you ?.
if so this is normal and nothing to worry about. Whether you do it via the cli or via PDM once you set the peer address you always get an error message about an incomplete crypto map. Once you have added the match address line it stops complaining.
In effect the error line can be ignored. Have you tried out the VPN connectivity to see if it is working ?
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: